As the old yarn goes, one Francis Galton ran an experiment at the West of England Fat Stock and Poultry Exhibition in Plymouth back in 1906. Around eight hundred people purchased tickets to guess at the weight of an ox. Surprisingly, the median guess of 1,207 pounds was only 9 pounds over the ox’s actual weight of 1,198.1 This study, told often to American middle schoolers before they guess at the number of jelly beans in a large jar, has plenty of meat to it. It’s also an example of the wisdom that comes from crowdsourcing way before “crowdsourcing” became a common term to pass the lips of many an exec.
So, what does a 1,200-pound ox have to do with crowdsourcing in cybersecurity? Very little except to set the stage for this article and illustrate that crowd wisdom can be effective under certain conditions. What are these conditions? Paraphrasing James Surowiecki in The Wisdom of Crowds, there are three requirements: independence of individuals within the crowd, diversity of experience, and some way for the information and analysis to be effectively organized.2
Given the chaotic nature of the current security environment, it’s nigh impossible for a small cybersecurity team to uncover all of the potential vulnerabilities of constantly evolving software. It’s like trying to play Whac-a-Mole with an infinitely expanding play area with the occasional mole that whacks back. But what if you had access to a thousand players that specialized in specific sections of the play area and specific moles and shared ideas? You’d get a dated metaphor for cybersecurity crowdsourcing.
Crowd Sourcing Solutions
There are a number of issues that crowdsourced cybersecurity seems naturally capable of mitigating3:
Scale: even in small organizations, keeping a close eye on the dynamic attack surface that hundreds of applications create is a daunting task. For a single security task force within a company that utilizes thousands of endpoints, third-party software, proprietary software while trying to follow compliance regs, maintaining a secure security landscape is impossible. It’s common knowledge that even critical vulnerabilities can take months to patch effectively while less severe, yet still potentially disruptive vulnerabilities are left to simmer for longer. Crowdsourcing specific aspects of a sec team’s workload allows for a more methodical and less fraught approach to organizational security.
Subject Matter: it might be possible to repeat the phrase that “cybersecurity is a complex and diverse field” too many times in a twelve-hundred-some word article, but it’s the crux of the matter when it comes to crowdsourcing. Any given application is a web (perhaps a cobweb) of different components. Each component along with their myriad interconnections is prone to vulnerabilities. The manager that’s been working IT for 20+ years might specialize in one aspect of this web, but there is zero chance that they’re an expert in each piece of tech. Open up this application to a crowd of white hats within a controlled operation, and you’d be wise to bet that each aspect of your application has at least one expert poking around.
Time: there’s never enough of it. A security team working with time constraints will only be able to cover a portion of an application and not with any major depth. Crowdsourcing this engagement can allow more ground to be covered with a much finer comb within the same timeframe. Also, crowdsourced bug searches generally don’t have time requirements and can be ongoing through the implementation of bug-bounty programs that incentivize deep-dives into the nuances of a given application.
Cybersecurity Crowdsourcing Has a History
Per an article by TechRepublic back in 2019, a little over half of 200 surveyed cybersec decision makers have instituted some form of crowdsourcing. The CISO’s that did use crowdsourced cybersecurity programs have noticed benefits like “paying for valid results rather than effort or time, the varied expertise of hackers, and continuous coverage of applications.” 4 You can also add high scalability to the list. These crowdsource programs can range from bug bounties to responsible disclosures to hiring a company that sources its own ethical hackers to assist the in-house team’s own vulnerability assessment. It’s also no secret that massive companies like Johnson & Johnson, Apple, Microsoft, Facebook, Mozilla have been using crowdsourcing programs to bolster the security of their digital landscape for years.5
Another powerful attribute of crowdsourced security is the sharing of relevant intelligence. We see the benefits of this in organizations like First, which began in 1990 and created the Common Vulnerability Scoring System in a highly successful attempt to systematize and standardize vulnerability reporting and risk. There’s also the CVE program and MITRE ATT&CK. None of these cornerstones would be able to exist without the time and effort from thousands of cybersecurity professionals and their diverse areas of expertise. You could think of intelligence sharing as a kind of herd immunity. As information spreads between organizations and professionals, the overall, massively interconnected sphere of tech inoculates itself against known vulnerabilities and 0-day threats.
Conclusion
Crowdsourced security testing, information gathering, and cybersecurity awareness are all extremely effective tools used by small to large organizations, governments, and other institutions. SaaS cybersecurity organizations, like Vicarius, offer vulnerability management solutions that curate a number of crowdsourced resources alongside the top-notch expertise of their teams. To maintain a secure digital landscape, it takes a multitude of independent and collaborative experts to ensure that even the smallest hole is detected and filled. Unless you’re keen on bailing water instead of fixing the leak.
Sauce:
1 Bernstein, W. J. (2021). Prelude. In The delusion of crowds: Why people go mad in groups (p. 11). essay, Grove Press.
2 Surowiecki, J. (2005). In The Wisdom of Crowds. essay, Anchor Books.
3 Stephens, L. (2021, November 4). Crowdsourced security is now a need, not a nice to have. Detectify Blog. Retrieved June 3, 2022, from https://blog.detectify.com/2021/11/04/crowdsourced-security-is-now-a-need-not-a-nice-to-have/
4 Rayome, A. D. N. (2019, March 28). Is crowdsourcing cybersecurity the answer to Cisos' problems? TechRepublic. Retrieved June 3, 2022, from https://www.techrepublic.com/article/is-crowdsourcing-cybersecurity-the-answer-to-cisos-problems/
5 Dimov, D. (2015, September 22). Crowdsourcing cybersecurity: How to raise security awareness through crowdsourcing. Infosec Resources. Retrieved June 3, 2022, from https://resources.infosecinstitute.com/topic/crowdsourcing-cybersecurity-how-to-raise-security-awareness-through-crowdsourcing/
image by Camylla Battani from unsplash